Medical Device Cybersecurity: US Requirements

  • Establish design inputs for their device related to cybersecurity
  • Establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis – required by 21 CFR 820.30(g)
  • Approach addresses:
    • Identification of assets, threats, and vulnerabilities;
    • Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients;
    • Assessment of the likelihood of a threat and of a vulnerability being exploited;
    • Determination of risk levels and suitable mitigation strategies;
    • Assessment of residual risk and risk acceptance criteria.